gitlab-org--gitlab-foss/app/finders/labels_finder.rb

class LabelsFinder < UnionFinder
  def initialize(current_user, params = {})
    @current_user = current_user
    @params = params
  end

  def execute(skip_authorization: false)
    @skip_authorization = skip_authorization
    items = find_union(label_ids, Label) || Label.none
    items = with_title(items)
    sort(items)
  end

  private

  attr_reader :current_user, :params, :skip_authorization

  def label_ids
    label_ids = []

    if project?
      if project
        if project.group.present?
          labels_table = Label.arel_table

          label_ids << Label.where(
            labels_table[:type].eq('GroupLabel').and(labels_table[:group_id].eq(project.group.id)).or(
              labels_table[:type].eq('ProjectLabel').and(labels_table[:project_id].eq(project.id))
            )
          )
        else
          label_ids << project.labels
        end
      end
    else
      label_ids << Label.where(group_id: projects.group_ids)
      label_ids << Label.where(project_id: projects.select(:id))
    end

    label_ids
  end

  def sort(items)
    items.reorder(title: :asc)
  end

  def with_title(items)
    return items if title.nil?
    return items.none if title.blank?

    items.where(title: title)
  end

  def group?
    params[:group_id].present?
  end

  def project?
    params[:project_id].present?
  end

  def projects?
    params[:project_ids].present?
  end

  def title
    params[:title] || params[:name]
  end

  def project
    return @project if defined?(@project)

    if project?
      @project = Project.find(params[:project_id])
      @project = nil unless authorized_to_read_labels?(@project)
    else
      @project = nil
    end

    @project
  end

  def projects
    return @projects if defined?(@projects)

    @projects = if skip_authorization
                  Project.all
                else
                  ProjectsFinder.new(params: { non_archived: true }, current_user: current_user).execute
                end

    @projects = @projects.in_namespace(params[:group_id]) if group?
    @projects = @projects.where(id: params[:project_ids]) if projects?
    @projects = @projects.reorder(nil)

    @projects
  end

  def authorized_to_read_labels?(project)
    return true if skip_authorization

    Ability.allowed?(current_user, :read_label, project)
  end
end
LabelsFinder inherits from UnionFinder 2016-09-20 04:08:04 +00:00			`class LabelsFinder < UnionFinder`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def initialize(current_user, params = {})`
			`@current_user = current_user`
			`@params = params`
			`end`

Pass user instance to Labels::FindOrCreateService or skip_authorization: true Do not pass project.owner because it may return a group and Labels::FindOrCreateService throws an error in this case. Fixes #23694. 2016-10-28 09:31:45 +00:00			`def execute(skip_authorization: false)`
			`@skip_authorization = skip_authorization`
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`items = find_union(label_ids, Label) \|\| Label.none`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`items = with_title(items)`
			`sort(items)`
			`end`

			`private`

Pass user instance to Labels::FindOrCreateService or skip_authorization: true Do not pass project.owner because it may return a group and Labels::FindOrCreateService throws an error in this case. Fixes #23694. 2016-10-28 09:31:45 +00:00			`attr_reader :current_user, :params, :skip_authorization`
Add LabelsFinder 2016-09-19 20:16:16 +00:00
LabelsFinder inherits from UnionFinder 2016-09-20 04:08:04 +00:00			`def label_ids`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`label_ids = []`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`if project?`
			`if project`
Optimize labels finder query Optimize labels finder query when searching for a project with a group 2017-03-26 21:43:35 +00:00			`if project.group.present?`
			`labels_table = Label.arel_table`

			`label_ids << Label.where(`
			`labels_table[:type].eq('GroupLabel').and(labels_table[:group_id].eq(project.group.id)).or(`
			`labels_table[:type].eq('ProjectLabel').and(labels_table[:project_id].eq(project.id))`
			`)`
			`)`
			`else`
			`label_ids << project.labels`
			`end`
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`end`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`else`
			`label_ids << Label.where(group_id: projects.group_ids)`
			`label_ids << Label.where(project_id: projects.select(:id))`
			`end`

			`label_ids`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`def sort(items)`
Remove order by label type on LabelsFinder 2016-10-19 13:59:31 +00:00			`items.reorder(title: :asc)`
List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def with_title(items)`
Improve readability and add specs for label filtering 2016-10-25 06:04:38 +00:00			`return items if title.nil?`
			`return items.none if title.blank?`

			`items.where(title: title)`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def group?`
			`params[:group_id].present?`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def project?`
			`params[:project_id].present?`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def projects?`
			`params[:project_ids].present?`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def title`
Improve readability and add specs for label filtering 2016-10-25 06:04:38 +00:00			`params[:title] \|\| params[:name]`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`

Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`def project`
			`return @project if defined?(@project)`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`if project?`
			`@project = Project.find(params[:project_id])`
			`@project = nil unless authorized_to_read_labels?(@project)`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`else`
			`@project = nil`
			`end`

			`@project`
			`end`

Add LabelsFinder 2016-09-19 20:16:16 +00:00			`def projects`
			`return @projects if defined?(@projects)`

Hide archived project labels from group issue tracker 2017-06-29 05:23:38 +00:00			`@projects = if skip_authorization`
			`Project.all`
			`else`
			`ProjectsFinder.new(params: { non_archived: true }, current_user: current_user).execute`
			`end`

Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`@projects = @projects.in_namespace(params[:group_id]) if group?`
			`@projects = @projects.where(id: params[:project_ids]) if projects?`
List only labels that belongs to the group on the group issues page 2016-09-20 14:55:31 +00:00			`@projects = @projects.reorder(nil)`
Add LabelsFinder 2016-09-19 20:16:16 +00:00
			`@projects`
			`end`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00
Limit labels returned for a specific project as an administrator Prior, an administrator viewing a project's Labels page would see _all_ labels from every project they had access to, rather than only the labels of that specific project (if any). This was not an information disclosure, as admins have access to everything, but it was a performance issue. 2016-11-16 09:51:47 +00:00			`def authorized_to_read_labels?(project)`
			`return true if skip_authorization`

			`Ability.allowed?(current_user, :read_label, project)`
Reuse LabelsFinder on Banzai::Filter::LabelReferenceFilter 2016-09-29 18:50:14 +00:00			`end`
Add LabelsFinder 2016-09-19 20:16:16 +00:00			`end`